Computer systems and networks can employ various measures to prevent activity by unauthorized users. For example, a network can require a username and password to authenticate a user before allowing access. However, there remains a need for a security system to better detect anomalous activity, for example, when an authenticated user is actually a malicious actor. In addition, anomalous network activity generally lacks real-world identifiers. As such, it can often be difficult to attribute anomalous activity on a network to a particular malicious actor or group.